[python-committers] fyi - openssl vulnerability - likely in our windows builds
Gregory P. Smith
greg at krypto.org
Tue Apr 24 00:47:07 CEST 2012
On Mon, Apr 23, 2012 at 2:42 PM, <martin at v.loewis.de> wrote:
> I don't see any occurrence of these functions in the various versions of
>> the _ssl module.
>> Is Python really affected by this vulnerability?
>>
>
> We use SSL_CTX_use_certificate_chain_**file, which ultimately uses
> d2i_X509_AUX_fp (I think).
>
> However, I fail to see how this constitutes are remote vulnerability:
> one would have to inject a bad PEM file into an application to trigger
> this.
>
> http://isc.sans.edu/diary.**html?storyid=13018<http://isc.sans.edu/diary.html?storyid=13018>
>
> claims that this is *not* exploitable over TLS (and I agree); they
> warn that it can be exploited e.g. when Apache reads server certificates
> from untrusted users. Even in the local case, you need a Python application
> running under one account that reads certificate files belonging to
> a different (Unix) account to create an exploit.
>
> So I propose that for the regular bugfix releases, we upgrade the OpenSSL
> version, but otherwise take no action at this point.
>
give that, agreed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.python.org/pipermail/python-committers/attachments/20120423/0bebf385/attachment-0001.html>
More information about the python-committers
mailing list